Age | Commit message (Collapse) | Author | Files | Lines |
|
Issue-ID: INT-1523
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I2be0865395b12e1f277834b0c096f5d183cb5056
Signed-off-by: mrichomme <morgan.richomme@orange.com>
|
|
Required change for the forthcoming fix on tox execution in
ci-management/jjb/integration/integration-docker.yaml
Issue-ID: INT-1124
Change-Id: I70c3351e5cf691a9eaeb7b49ec276d825016e0fa
Signed-off-by: ebo <eliezio.oliveira@est.tech>
|
|
This version was upgraded to 0.8.9 on 2020-04-09.
Fortunately the new 0.9.4 fixes the bug that was forcing us to use
the old 0.8.x
Issue-ID: INT-1124
Change-Id: I6dacac8925af047d2e5342a76da6eb221074ddd9
Signed-off-by: ebo <eliezio.oliveira@est.tech>
|
|
Even if CLI got a NO GO for frankfurt, docker update is planned
to fix security issues for frankfurt
As a consequence, CLI must be removed from the xfail list
Issue-ID: INT-1480
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I78dccd2bdabe05515ff8ab64d30e9e5d6f97e74b
|
|
- Using loguru to follow new recommend standard
- Renamed Yang model filename to comply with
https://tools.ietf.org/html/rfc6020#section-5.2
- Renamed initialization data to reflect the target datastore
Issue-ID: INT-1516
Signed-off-by: ebo <eliezio.oliveira@est.tech>
Change-Id: Ifde9e832b6a308dc918e3a84e03bfd43ad0f9b63
|
|
Issue-ID: INT-1517
Signed-off-by: Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com>
Change-Id: I235b0fdf12b265a256c371126e218826e74a9133
|
|
- Simple SSH and TLS configuration. Instead of specific Netopeer2
XML configuration files, the user only needs to provide:
For SSH: id_XXX.pub
For TLS: server_key.pem, server_cert.pem, and ca.pem
- SSH and TLS can be reconfigured at runtime by running
/opt/bin/reconfigure-ssh.sh and /opt/bin/reconfigure-tls.sh respectively
- Improved log readability by using zlog (on C applications) and loguru
for Python
See the updated documentation under ../docs for more information.
Issue-ID: INT-1516
Change-Id: I21052d2524f0610c6197875a544113cce1a02787
Signed-off-by: ebo <eliezio.oliveira@est.tech>
|
|
--no-site-packages and --distribute are marked DEPRECATED
and retained only for backward compatibility so removing.
Change-Id: I3cc66b5c09363d5b982537cc28b8f66609743121
Issue-ID: INT-1508
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Tag 2.6.1 is no longer available.
Change-Id: I5a2cb51d21b4c6d75aff387e87976ede184a92b2
Issue-ID: INT-1508
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Tag 2.6.1 is no longer available.
Change-Id: Ia2ce3f2d1d25e5f941cd2b49ed213445960e8a04
Issue-ID: INT-1508
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
As discussed during SECCOM call on 31.03.2020 SO team pushed hard to
finialize AAF integration in F but failed due to AAF issues.
Per TSC decision they should be granted a waiver as a project which
has been impacted by AAF
Issue-ID: OJSI-138
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I46028f2d3de80f5ca7dc274cf6af26000b766f32
|
|
To follow a common protocol of testing Golang based
applications in CI we need a 'build' target for doing
a local (non-docker) build to verify 'go build' routine.
It's however not added to "all" target as that one already
references docker based build by default.
Change-Id: I2e380ef09a1ae18456d7288f853d085617149338
Issue-ID: SECCOM-261
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Moving CSV data conversion and "expected failure" filtering away from
main function made testing these features easier. Utility behaviour
remained unchanged.
Issue-ID: SECCOM-261
Change-Id: I4cabfc7b352434c84a613c02f44af3c9630be970
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch makes scanner compatible with its shell predecessor. The same
"expected failure" list format is used i.e.
# Comment line; will be ignored
SERVICE1 NODEPORT1
SERVICE2 NODEPORT2
Single space character is used as a field separator.
Issue-ID: SECCOM-261
Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: SECCOM-261
Change-Id: I465282a8793191c45d288284a127e80e1fecf513
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Each node might be described with 3 types of addresses [1]. Some
providers also use node annotations [2] for assigned addresses.
This patch filters out all IP addresses from nodes list. External IPs
take precedence over internal ones. The first address on the extracted
slice will be later used to run the scan on.
This behaviour could be later modified to e.g. loop over all extracted
IP addresses (if scan fails).
[1] https://kubernetes.io/docs/concepts/architecture/nodes/#addresses
[2] https://github.com/rancher/rke/blob/master/k8s/node.go#L18
Issue-ID: SECCOM-261
Change-Id: Ifd094447f778da378dfe1aee765f552b6ebd669f
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Utility "sslendpoints" and related packages make use of idiomatic Go
testing commands, i.e. go test [./...]. Thanks to Go Modules [1] nothing
else is needed to run internal tests for this tool.
Unfortunately it's not the case for all Go-based Integration tools. In
order to use a single automated verification script in CI additional
"make" target is required. It will provide temporary compatibility layer
with utilities setting up test environment on their own with "make test"
target.
This patch should be reverted upon removal of such cases (currently:
after dropping "../k8s/check" tool in favour of Aquasec solution).
[1] https://blog.golang.org/using-go-modules (see "Adding a dependency"
test execution explanation)
Issue-ID: INT-1498
Change-Id: I14c83f7f193c7688590366db988ff02c13c036a4
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch has not made "sslendpoints" fully compatible with
"check_for_nonssl_endpoints.sh" script yet. It sets up basic development
environment for Golang-based checkers, though.
Tool output will be added to the README after reaching full
compatibility with previous (script) version.
Development environment brought by this patch is heavily based on:
https://github.com/SamsungSLAV/boruta
Issue-ID: SECCOM-261
Change-Id: I8f035b63bea13785c40971ede5fdbbc9b6810168
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch introduces a series of patches that will provide tools which
will succeed current security check scripts. Its two main reasons are:
* increasing tools verifiability by providing internal tests,
* improving "expected failure" support by suppressing carefully selected
set of special cases.
Each tool will use following directory structure (generated with
"tree -a --charset=ascii" command):
.
`-- check_module
|-- Dockerfile
|-- .dockerignore
|-- .gitignore
|-- go.mod
|-- main.go
|-- Makefile
|-- README
|-- README.rst -> README
`-- submodule
|-- submodule.go
`-- submodule_test.go
This will allow using Go Modules mechanism within its limitations [1]
for "non-go-get-able modules" [2][3][4] - also in case of separating
code into several modules used by multiple "check modules", e.g.
.
|-- common
| |-- common.go
| |-- common_test.go
| `-- go.mod
`-- check_module
|-- go.mod
`-- ...
It would require migration from separate Dockerfiles to a single one
(multi-stage), though.
Provided Makefiles are intended to simplify local development
(Docker-less building) and container images preparation. READMEs clarify
utility requirements and usage - file without extension is for VCS
reference, symlink for proper syntax rendering.
[1] https://github.com/golang/go/wiki/Modules#is-it-possible-to-add-a-module-to-a-multi-module-repository
[2] https://github.com/golang/go/wiki/Modules#can-i-work-entirely-outside-of-vcs-on-my-local-filesystem
[3] https://github.com/golang/go/issues/26645#issuecomment-408572701
[4] https://www.dim13.org/go-get-cgit
Issue-ID: SECCOM-261
Change-Id: I48eeeda66bd5570d249e96e101e431e6bab75cb3
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: INT-1387
Signed-off-by: Huang Cheng <duke.huangcheng@huawei.com>
Change-Id: I23bda3ec2a31569d4857b2f16b9a607c64abd9f0
|
|
Change-Id: I8b0155a0a6022d7b6d172c1b46d1b7d189fcbe8a
Issue-ID: INT-1210
Signed-off-by: Enbo Wang <wangenbo@huawei.com>
|
|
* v0.7.7 of netopeer used
* SSLAuthenticationHelper marked as primary bean to avoid duplicated-bean exception
* spring props properly mounted into container
Change-Id: Ib6bb32f32a7f60786901ffbf592b1a26b5cb1cbf
Issue-ID: INT-1320
Signed-off-by: Tomasz Golabek <tomasz.golabek@nokia.com>
|
|
Issue-ID: INT-1480
Change-Id: Iabd7932e0eb8f8981d064aee0f4d8c44df65a379
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch ignores closed and filtered ports from scan results. It is
intended to keep "expected failure" list minimal.
Issue-ID: INT-1480
Change-Id: Idb93cf4e19284bc121aa45ea950d28405c29e222
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: INT-1211
Signed-off-by: Yaoguang Wang <sunshine.wang@huawei.com>
Change-Id: I5a7724e6cbfab81eeb3299c88f995c3cf9ea71ec
|
|
in CI we got an error sed: unsupported command o
due to space management in the sed command
Issue-ID: INT-1480
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I44c6ecd7c47ec02b76c7932bb86de0a58726d93d
|
|
List of expected failures for non-SSL services test has not been renamed
together with corresponding check script and might have been confusing.
Issue-ID: INT-1480
Change-Id: I4f88a09ddb90a14500498892f1fda99e1c3febf0
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Issue-ID: INT-1480
Change-Id: I755a3e65897f94e3f42f27bbf798c9bcd9c2868f
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
Change-Id: Ib7c21353cff267b847a4d1d7fdcb322e22772062
Issue-ID: INT-1312
Signed-off-by: rajendrajaiswal <rajendra.jaiswal@ericsson.com>
|
|
Add IT using ncclient and tox
Issue-ID: INT-1124
Change-Id: I560d4fd2468ac93f8ead36062b2e316821af8d07
Signed-off-by: ebo <eliezio.oliveira@est.tech>
|
|
to be consistent with xfail lists introduced in security tests
by Pawel Wieczorek [1]
Issue-ID: INT-1435
[1]: https://gerrit.onap.org/r/c/integration/+/103444
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I5345607931e443f3335f34823c5cd80290425a45
Signed-off-by: mrichomme <morgan.richomme@orange.com>
|
|
This patch extends tool used to detect plain HTTP ports to report all
non-SSL endpoints. Previously it omitted services not recognized as
HTTP.
Naming changes were made to reflect purpose of this tool better.
Issue-ID: INT-1480
Change-Id: I58a152022d48121bf4b9c6180ddc820dd4a79805
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
This patch is heavily based on previous work by
Morgan Richomme <morgan.richomme@orange.com>
(Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2)
It is intended to suppress failure reports on known plain HTTP
endpoints. Introduced list of "expected failures" (or "xfail" for short)
will be shrunk after resolving tickets related to INT-1480 and this
patch will be eventually reverted.
Issue-ID: INT-1480
Change-Id: I4edbf3efaf66bfa2dbe2f265983eb0a27048ed4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
|
|
The port scanned can be the default redis port.
A white list must be included to avoid false positive.
Open quesiton, should this list be passed as argument?
It is relatively static so for the moment, I created a list to exclude
through grep -V the false positive
Issue-ID: INT-1435
Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: Ibaed4c5c0e5ae179af0ae317e543c1efdc9ddef2
Signed-off-by: mrichomme <morgan.richomme@orange.com>
|
|
Change-Id: I6adaa992fe9c2411025eb28edafef83b506bac29
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Fixed pylint issues for categories trailing-whitespace,
trailing-newlines, syntax-error, unused-import.
Change-Id: Iccbdb0c9538a6b8299c0517bafa1ec1be30f07cd
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Fixed pylint issues for categories len-as-condition, using-constant-test,
undefined-variable and reimported.
Change-Id: Idad710958c3ca0ac6da78fb4709da03e5f079b34
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Change-Id: Ic0d2a32a964a4cf5ff1580ffd06103c450a0e8b0
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
'cmp', 'file' and 'unicode' functions are Python 2
specific.
Change-Id: I30fa091ef157453a328ab40e4186c30e5ed1b3a1
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Reported by pylint.
Change-Id: I9d5ee152f3587bb2d7e8abee919e4ffe47d8ae85
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Change-Id: I3a8c706373f4004850c2403f4aee0d1f28aad464
Issue-ID: INT-1208
Signed-off-by: Enbo Wang <wangenbo@huawei.com>
|
|
Change-Id: I8b1dbdb7bf5d2d12d0104dcabc200b8827b6fb8a
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Change-Id: Idf48efd38395afc4fcb85d42e79a26f94f59a02b
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
Unused imports are removed according to pylint report
or ignore rules are added where applicable.
Change-Id: I8c32b5c3f456f0444f8ec8980910d470b7238a7d
Issue-ID: INT-1427
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
The actual SSH configuration is stored in Sysrepo and not as ordinary
~netconf/.ssh files.
Issue-ID: INT-1124
Change-Id: I7e16e09a20ac6f2d52c8958550603935b6790283
Signed-off-by: ebo <eliezio.oliveira@est.tech>
|
|
This is needed prior to adding job for JSON
files linting in CI.
Change-Id: I7e7885840cfc51b4a556fe245fa2d69b88383216
Issue-ID: INT-1451
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
This is needed prior to adding job for JSON
files linting in CI.
Change-Id: I86f68c5d25f5f521656995574bc516607f2160f4
Issue-ID: INT-1451
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
This is needed prior to adding job for JSON
files linting in CI.
Change-Id: I144873a8511f38a4336b73ac19276b213207a9fa
Issue-ID: INT-1451
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|
|
This is needed prior to adding job for JSON
files linting in CI.
Change-Id: I15ae608c0b88b8eced6c9f53914bf42355c82c50
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
Issue-ID: INT-1451
|
|
This is needed prior to adding job for JSON
files linting in CI.
Change-Id: Ia71dd28061b5e84c36c81bc1432ccd39ca8cc73a
Issue-ID: INT-1451
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
|